1. Technical Field of the Invention
The present invention relates to pattern matching operations and, in particular, to network security systems which screen a data packet stream for suspicious content using a pattern matcher.
2. Description of Related Art
As enterprises increasingly use the Internet to conduct business, the amount of confidential and sensitive information that is delivered over, and is accessible through, the Internet is also increasing. Unlike the private, dedicated communications networks that enterprises have used for business for the last several decades, which were relatively secure from outside intruders, the Internet and networks connected to an enterprise are susceptible to security threats and malicious eavesdropping due to their openness and ease of access. Recently, there has been an increase in the frequency of attempted breaches of network security, or hacker attacks, intended to access this confidential information or to otherwise interfere with network communications.
Network attacks are becoming not only more prevalent but also more sophisticated and severe, resulting in part from the availability of tools and information on how to conduct these attacks, an increase in hacker sophistication, an increase in the number of network access points that are vulnerable to attack and an increase in the overall amount of confidential information accessible through or delivered over the Internet. These attacks include distributed denial of service attacks, in which an attacker floods a Web site with large numbers of packets or connection requests that overwhelm the Web site and prevent legitimate users from accessing it. Other types of attacks are designed not just to prevent access to a Web site, but also to penetrate its security and allow a hacker to take control of a server and deface the Web site or steal sensitive information. Still other attacks include malicious eavesdropping, which allows a hacker to misappropriate confidential communication transmitted over the Internet. If confidential communications get into the wrong hands, damage to the business of the enterprise or, at the very least, damage to its reputation may arise. There is also a significant cost and negative publicity resulting from denial of service attacks. In an attempt to combat all of these types of attacks, enterprises have been increasing their security budgets to address heightened network vulnerability concerns.
Intrusion detection systems are commonly used as one measure of network defense. Such systems are commonly passive systems which operate to monitor traffic, identify portions of the traffic which are suspicious, threatening or dangerous, and then issue alerts or alarms when such traffic is detected. A problem with such systems is that alerting is a limit on their response capabilities. An ability to actively manage packets and flows in response to detected threats or dangers is needed. An additional problem is that such systems are quite slow and do not possess the capability of effectively and efficiently monitoring packet streams at line rates in the gigabit per second, or above, range.
Effort has accordingly been expended in developing intrusion prevention systems. The intrusion prevention system is designed as an active traffic monitoring system. Preferably, such systems are placed “in-line” with respect to the packet data stream, and may exist as part of the infrastructure for the protected network. With such an architecture, the system must operate under the same performance benchmarks as are applicable to a network switch or router. Packets entering the system must be inspected and either forwarded or blocked within a few millisecond window of time.
It is known that the screening operation performed to examine the packet traffic takes time and thus can delay packet traffic transport throughput. This delay concern is magnified as the volume of traffic to be examined increases and the intrusion detection system presents a potential bottleneck to packet traffic passage. Further delays in throughput time for packet handling result from the use of more comprehensive (and time consuming) screening operations.
The in-line screening process may take the form of a pattern matching operation. In this operation, the passing packet traffic is compared against a library containing stored patterns of known suspicious, threatening or dangerous packet traffic. In the event a match is found between the screened packet traffic and a pattern entry in the library, an alert or alarm may be issued, and furthermore the matching packet traffic may be captured before any damage is done.
In order for such a pattern matching operation to be effective, it is important that the operation not unduly affect packet throughput. In other words, the pattern matching operation must not act as a bottleneck and restrict packet flow. As the rate of packet flow has increased over time (for example, towards and above 2.4 Gbits per second), existing software-based prior art solutions and existing hardware-based prior art solutions (such as direct memory access type matching systems) have been unable to meet throughput needs by unacceptably restricting the flow of packets. For this reason (and others relating to cost and size of the necessary memory), these prior art pattern matching systems no longer present satisfactory solutions.
A need accordingly exists for a more efficient approach to pattern matching for use in applications such as packet screening.